| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 |
| 8 // until NSS 3.12.2 comes out and we update to it. | 8 // until NSS 3.12.2 comes out and we update to it. |
| 9 #define Lock FOO_NSS_Lock | 9 #define Lock FOO_NSS_Lock |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 337 | 337 |
| 338 // Call CERT_PKIXVerifyCert for the cert_handle. | 338 // Call CERT_PKIXVerifyCert for the cert_handle. |
| 339 // Verification results are stored in an array of CERTValOutParam. | 339 // Verification results are stored in an array of CERTValOutParam. |
| 340 // If policy_oids is not NULL and num_policy_oids is positive, policies | 340 // If policy_oids is not NULL and num_policy_oids is positive, policies |
| 341 // are also checked. | 341 // are also checked. |
| 342 // Caller must initialize cvout before calling this function. | 342 // Caller must initialize cvout before calling this function. |
| 343 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, | 343 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, |
| 344 const SECOidTag* policy_oids, | 344 const SECOidTag* policy_oids, |
| 345 int num_policy_oids, | 345 int num_policy_oids, |
| 346 CERTValOutParam* cvout) { | 346 CERTValOutParam* cvout) { |
| 347 // TODO(wtc): Disable OCSP until we track down the crash in OCSP code. | |
| 348 // See http://crbug.com/18907. | |
| 349 bool use_ocsp = false; | |
| 350 | |
| 351 PRUint64 revocation_method_flags = | 347 PRUint64 revocation_method_flags = |
| 352 CERT_REV_M_TEST_USING_THIS_METHOD | | 348 CERT_REV_M_TEST_USING_THIS_METHOD | |
| 353 CERT_REV_M_ALLOW_NETWORK_FETCHING | | 349 CERT_REV_M_ALLOW_NETWORK_FETCHING | |
| 354 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | | 350 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | |
| 355 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | | 351 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | |
| 356 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; | 352 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; |
| 357 PRUint64 revocation_method_independent_flags = | 353 PRUint64 revocation_method_independent_flags = |
| 358 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; | 354 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; |
| 359 if (policy_oids && num_policy_oids > 0) { | 355 if (policy_oids && num_policy_oids > 0) { |
| 360 // EV verification requires revocation checking. Consider the certificate | 356 // EV verification requires revocation checking. Consider the certificate |
| 361 // revoked if we don't have revocation info. | 357 // revoked if we don't have revocation info. |
| 362 // TODO(wtc): Add a bool parameter to expressly specify we're doing EV | 358 // TODO(wtc): Add a bool parameter to expressly specify we're doing EV |
| 363 // verification or we want strict revocation flags. | 359 // verification or we want strict revocation flags. |
| 364 if (!use_ocsp) | |
| 365 return SECFailure; // No OCSP, no EV. | |
| 366 revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; | 360 revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; |
| 367 revocation_method_independent_flags |= | 361 revocation_method_independent_flags |= |
| 368 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; | 362 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; |
| 369 } else { | 363 } else { |
| 370 revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE; | 364 revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE; |
| 371 revocation_method_independent_flags |= | 365 revocation_method_independent_flags |= |
| 372 CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT; | 366 CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT; |
| 373 } | 367 } |
| 374 PRUint64 method_flags[2]; | 368 PRUint64 method_flags[2]; |
| 375 method_flags[cert_revocation_method_crl] = revocation_method_flags; | 369 method_flags[cert_revocation_method_crl] = revocation_method_flags; |
| 376 method_flags[cert_revocation_method_ocsp] = revocation_method_flags; | 370 method_flags[cert_revocation_method_ocsp] = revocation_method_flags; |
| 377 | 371 |
| 378 int number_of_defined_methods; | |
| 379 CERTRevocationMethodIndex preferred_revocation_methods[1]; | 372 CERTRevocationMethodIndex preferred_revocation_methods[1]; |
| 380 if (use_ocsp) { | 373 preferred_revocation_methods[0] = cert_revocation_method_ocsp; |
| 381 number_of_defined_methods = arraysize(method_flags); | |
| 382 preferred_revocation_methods[0] = cert_revocation_method_ocsp; | |
| 383 } else { | |
| 384 number_of_defined_methods = arraysize(method_flags) - 1; | |
| 385 preferred_revocation_methods[0] = cert_revocation_method_crl; | |
| 386 } | |
| 387 | 374 |
| 388 CERTRevocationFlags revocation_flags; | 375 CERTRevocationFlags revocation_flags; |
| 389 revocation_flags.leafTests.number_of_defined_methods = | 376 revocation_flags.leafTests.number_of_defined_methods = |
| 390 number_of_defined_methods; | 377 arraysize(method_flags); |
| 391 revocation_flags.leafTests.cert_rev_flags_per_method = method_flags; | 378 revocation_flags.leafTests.cert_rev_flags_per_method = method_flags; |
| 392 revocation_flags.leafTests.number_of_preferred_methods = | 379 revocation_flags.leafTests.number_of_preferred_methods = |
| 393 arraysize(preferred_revocation_methods); | 380 arraysize(preferred_revocation_methods); |
| 394 revocation_flags.leafTests.preferred_methods = preferred_revocation_methods; | 381 revocation_flags.leafTests.preferred_methods = preferred_revocation_methods; |
| 395 revocation_flags.leafTests.cert_rev_method_independent_flags = | 382 revocation_flags.leafTests.cert_rev_method_independent_flags = |
| 396 revocation_method_independent_flags; | 383 revocation_method_independent_flags; |
| 397 | 384 |
| 398 revocation_flags.chainTests.number_of_defined_methods = | 385 revocation_flags.chainTests.number_of_defined_methods = |
| 399 number_of_defined_methods; | 386 arraysize(method_flags); |
| 400 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; | 387 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; |
| 401 revocation_flags.chainTests.number_of_preferred_methods = | 388 revocation_flags.chainTests.number_of_preferred_methods = |
| 402 arraysize(preferred_revocation_methods); | 389 arraysize(preferred_revocation_methods); |
| 403 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; | 390 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; |
| 404 revocation_flags.chainTests.cert_rev_method_independent_flags = | 391 revocation_flags.chainTests.cert_rev_method_independent_flags = |
| 405 revocation_method_independent_flags; | 392 revocation_method_independent_flags; |
| 406 | 393 |
| 407 CERTValInParam cvin[3]; | 394 CERTValInParam cvin[3]; |
| 408 int cvin_index = 0; | 395 int cvin_index = 0; |
| 409 // No need to set cert_pi_trustAnchors here. | 396 // No need to set cert_pi_trustAnchors here. |
| (...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 617 DCHECK(0 != cert->derCert.len); | 604 DCHECK(0 != cert->derCert.len); |
| 618 | 605 |
| 619 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 606 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
| 620 cert->derCert.data, cert->derCert.len); | 607 cert->derCert.data, cert->derCert.len); |
| 621 DCHECK(rv == SECSuccess); | 608 DCHECK(rv == SECSuccess); |
| 622 | 609 |
| 623 return sha1; | 610 return sha1; |
| 624 } | 611 } |
| 625 | 612 |
| 626 } // namespace net | 613 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 165362:
Try to fix crash in OCSP handlers. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/